The 11th Circuit recently released its long-awaited opinion in FTC v. LabMD. Anyone monitoring data privacy regulation in America has been waiting for this opinion to help corporations understand their obligations under US privacy regulation.
Unfortunately for those of us looking for clear guidance to pass along to our clients, the Court did not address many of the issues before it.
LabMD was once a small company which analyzed medical specimens for the purpose of cancer diagnoses. In 2007, an employee installed Limewire, a peer-to-peer file-sharing application, on a work computer. The employee did not realize that the folder selected for downloads makes any file within that folder available to others on the network. In 2008, an employee of the IT Security company Tiversa used Limewire to download a file containing names, addresses, birthdates, Social Security Numbers, insurance information, and laboratory test codes for 9,300 LabMD patients. Tiversa then offered its services to LabMD to investigate the purported breach, which LabMD refused. Ultimately, Tiversa alerted the Federal Trade Commission to the disclosure.
Authority & Enforcement Actions
Typically, when an organization receives a Complaint from the FTC they choose to negotiate toward a settlement. Fighting the complaint will usually involve arguing before an Administrative Law Judge (“ALJ”). Should an organization win before the ALJ, the FTC appeals to the FTC commissioners - the very commissioners that direct the FTC to take these actions in the first place. Needless to say, the FTC’s record in getting the FTC to agree its actions are appropriate is pretty strong. The next level of appeal is to the Federal Court of Appeals. To “win” in the Court of Appeals is often to have the case remanded to a lower level to resume the litigation. These legal battles are costly and time-consuming. Indeed, the FTC issued its complaint against LabMD in August, 2013, the decision from the 11th Circuit was released in June 2018. In the meantime, LabMD went out of business. Losing at any level will result in the issuance of a coercive order, either an injunction or cease and desist order, which outlines what an organization subject to the order may not do.
LabMD asserted, among other arguments, that the FTC did not have the authority to find LabMD’s practices unfair based on the facts, that the FTC’s regulation of organizations also subject to HIPAA was “reprehensible,” and that the coercive order was inappropriate.
Whether the FTC has the authority to regulate cybersecurity as an unfair business practice.
In 2014, the 3rd Circuit tackled substantially similar issues in FTC v. Wyndham Worldwide Corp. In Wyndham, the defendants argued that they had no notice of the specific cybersecurity practices which must be implemented to avoid liability. The Court found that the defendant was “entitled to a relatively low level of statutory notice” and that numerous FTC publications on best practices easily satisfied the notice requirement.
The FTC repeatedly cited to Wyndham in their brief in LabMD (and interestingly, the Court in Wyndham referenced a previous ruling in the LabMD saga) to support its legal authority for its actions. The 11th Circuit did not reference Wyndham in its opinion in LabMD, and wrote its opinion such that it didn’t have to. The Court never analyzed the FTC’s authority to regulate cybersecurity practices as unfair business practices, but appeared slightly skeptical. Sidestepping the authority issue, the 11th Circuit instead focused solely on the coercive order.
Whether the FTC can regulate issues covered by HIPAA.
LabMD argued that the Health Insurance Portability and Accountability Act (“HIPAA”) gives the Department of Health and Human Services the exclusive right to regulate data security standards for the healthcare industry. Since LabMD was governed by HIPAA, the FTC could not also provide overlapping or conflicting regulation.
If LabMD were successful on this issue this opinion would be more significant. Indeed, the FTC has brought enforcement actions against Rite Aid (https://www.ftc.gov/enforcement/cases-proceedings/072-3121/rite-aid-corporation-matter), PaymentsMD (https://www.ftc.gov/enforcement/cases-proceedings/132-3088/paymentsmd-llc-matter), Accretive Health (https://www.ftc.gov/enforcement/cases-proceedings/122-3077/accretive-health-inc-matter), and others covered under HIPAA. In its brief, FTC borrows a phrase from FTC v. Ken Roberts Co. saying that HHS and the FTC have “overlapping and concurring regulatory jurisdiction.”
The Court in this case did not address this issue or even mention the argument in its opinion. It did, however, say the following in its statement of the facts of the case, “LabMD was subject to data-security regulations issued under the Health Insurance Portability and Accountability Act of 1996, known colloquially as HIPAA.” The Court could have easily added that LabMD was subject to FTC rules as well, but did not. While not addressing the issue, the 11th Circuit has kept the door open on a challenge to the FTC’s authority to regulate healthcare entities already subject to HHS regulation through HIPAA.
Whether the Injunction was appropriate
The Court in LabMD ruled that the coercive order is unenforceable based on the facts in this case. LabMD’s problem stemmed from an employee unknowingly sharing private information, however the order did not merely prohibit LabMD from allowing peer-to-peer software on its network, the order instead required LabMD to implement a reasonable data security program. This reasonable standard, according to the Court, is indeterminable. The Court was very concerned about having to enforce such orders, and imagined a battle of expert witnesses arguing what reasonable data security programs look like, and then having to determine if an organization was violating its coercive order.
The Future of FTC Regulation
The FTC has several options to consider related to the LabMD decision. They may appeal the 11th Circuit’s Decision to the US Supreme Court, which could elect to hear the case or not. If this opinion stands, the FTC could limit their injunctions to specific, affirmative acts, which they are enjoining. Perhaps requiring a more definite data security standard, such as one published by an industry organization, would solve the problems the court raised with the “reasonable” standard. The FTC could conceivably bring a similar action in a different circuit and hope for a circuit split. Alternatively, the FTC could reevaluate its role in enforcing data security issues altogether.
The FTC appears inclined to take up that last option. On June 20, the FTC announced hearings on what they refer to as “Competition and Consumer Protection in the 21st Century.” (https://www.ftc.gov/news-events/press-releases/2018/06/ftc-announces-hearings-competition-consumer-protection-21st) Running from September 2018 through January 2019, these are a time for “serious reflection and evaluation” where the FTC will listen to affected parties on a range of issues, including:
Competition and consumer protection issues in communication, information, and media technology networks;
The intersection between privacy, big data, and competition;
The Commission’s remedial authority to deter unfair and deceptive conduct in privacy and data security matters;
The role of intellectual property and competition policy in promoting innovation;
The agency’s investigation, enforcement, and remedial processes;
Ultimately, the LabMD opinion does little to help companies unsure of the regulatory standard by which they must comply. The typical practice of having a court enter a coercive order mandating reasonable security practices is no longer acceptable, but the court never said the FTC could not bring enforcement actions related to data security under the unfairness prong at all. Future actions will likely be informed by the upcoming public hearings, and the ongoing, slow-moving, litigation of the few companies with the desire to challenge such actions instead of quickly settling.